LandzDown Forum

Eagle,
I can see why you had problems with that site. Not exactly friendly to a newer user. While I have very little experience with Sygate, I can try to cover some of the differences. Almost all functions with Kerio 2.1.5 are in the ruleset itself. This includes ICMP rules, which many firewalls separate or call advanced functions. Also, what other firewalls call server rights or permissions is also part of the ruleset, but isn't called that. Giving a program server rights or permission is basically allowing it to receive unsolicited connection requests from the internet, AKA listening. Another item Kerio treats differently is DNS resolving. This is it's own rule or group of rules with Kerio as opposed to treating it as part of the system.
I want to make a couple of basic points about setting up and using a rule based firewall like Kerio 2.1.5. First, you don't have to get everything perfect right away. You can take as long as you need to tighten up rules. You can also make backup copies of rulesets that can easily be re-imported should you edit something incorrectly and lock yourself offline. I've been using it for a few years now and am still tightening up the rules.
Start with Kerio in the "ask me first" setting. This way, you will be asked about everything that wants to connect out, including system components. This is necessary, especially during setup.
Kerio reads the ruleset from the first rule, downward. The first rule that applies will be used. In general, your first group of rules will apply to system components and functions. With 98, very few if any system components actually need internet access. The rules for ICMP functions, DNS resolving, loopback, etc belong in the first group. Most of these will be in the default ruleset Kerio starts with. You can edit them as you get the hang of it.
Rules for the different internet applications will come next. For some, all that's needed is a single rule. Others require several. Most do not need to receive unsolicited incoming requests. Exceptions are IM programs, internet answering machines, file sharing programs, etc. The rules for DNS resolving will also need it. If your internet service routinely pings you to see if you're using the IP, you might have to enable it for that too. Several dialup services do this. In most cases, you'll want to make separate rules for incoming traffic and limit it to only the specific IPs the app needs.
I have several screenshots from my system of some of the screens you'll see with Kerio 2.1.5.
Main Rule Interface The blacked out area are settings for my system I don't advertize.
Edit menu for DNS rule. The "custom address group this rule uses are the DNS servers for my internet service.
A rule for an app needing incoming permission, in this instance, the internet answering machine program, Call Wave.
The ICMP menus for these rules.
IMO, Kerio 2.1.5 is one of the best firewalls around, even compared to some very overpriced ones. If you need help setting it up, let me know.
Rick

I'm still staying with 98 too. Never could make myself trust XP. I haven't had the time to work on that site in some time. It needs updating (and completing) badly. This is just one of those years that I need 36 hour days and enough ambition to make use of them.
Let me know if you want help.
Rick

Ahhh Fellow 98SE Users. You know those of us who were accused of lagging behind the times and held tight to our 98's live much more comfortably on the internet then XP Users did when they jumped into those spyware/virus targets. That being said i have since upgraded to XP Pro but still have my 98SE in this same machine on another bootable drive, and to be Perfectly honest and no exaggerations, my 98 runs circles around XP hands down as for as performance and speed, and YES! especially Security!

With XP, Kerio 2.1.5 will load a default ruleset that's quite different than the one for 98. XP also has more services that will need rules, many of which the average user doesn't need. Making a ruleset for 98 will be good practice for trying it on XP. On my 98 unit, Kerio actually speeds up my internet performance slightly, probably from preventing unneeded components from using up my slow connection.
Easter,
I know a lot of people don't agree with the idea of 98 being more secure, but that's the same way I feel about it. Much easier to secure a system that can be controlled and isn't bloated with countless components and services that all want internet access.
Rick

The "customize rule" box will bring up this screen. The displayed numbers will be different than these, but the selections are in the default positions.

All the options on the customize rule screen and many more are available from the edit menu on the main rule screen, which is accessible  from the 'advanced" button on the administration screen. You can get that by right clicking on the tray icon.
This is a copy of the Default ruleset for win98. Since the first 2 colums aren't labelled in the image, I'll explain them. The column of check boxes shows which rules are in use. Only checked ones will be applied, a useful feature for experimenting. The 2nd one is the application or system component the rule applies to. ICMP rules apply to all components, as will using the "any protocol" selection.
The 3rd column, "rule description" has arrows on the left edge. There will be one or two arrows, which will be red or green. Red indicates blocked access, green indicates permitted. Arrows pointing right refer to outgoing connections. To the left referrs to incoming, or server permissions as other firewalls call it. You'll note the first rule, DNS, shows the ability to receive incoming connections, or can act as a server.
 Image of DNS Edit
For this function, incoming permission is necessary so the requesting app can receive an answer to its request. If you look at the edit menu for this rule, you'll see it permits incoming on port 53 only, and UDP protocol only. You can further tighten this rule by only allowing it to connect to your internet services own DNS servers.
You can find rules that permit incoming connections by looking at the arrows on the main screen. Look for green ones pointing left. To change any you find, use the "edit" menu or double click on the rule itself. Towards the top, you'll see a drop box labelled "direction." Change it here.
As for ICMP, on the default ruleset, the next 5 rules are for this. Three of the first 4 rules pertain to echo and echo reply. If you're certain that your internet service doesn't ping you to see if you're using the connection, you can delete these. If you're unsure, just uncheck them for now. The last ICMP rule blocks all ICMP functions not expressly permitted by the first 4 ICMP rules. See next link for image of edit menu for this rule.
ICMP Blocking Rule.
I spread the screen as much as I could. The back image is the main rule screen, with the ICMP blocking rule selected. Selecting "Edit" will call up the "Filter Rule" screen on the right. Note the absence of a drop box for selecting the app it applies to. This disappears when "ICMP" or "Any" is selected at the protocol drop box. The contents of the "remote endpoint" area will change depending on what you choose here. "Any" is what you want for ICMP. Make sure "both" is selected for direction and "deny" for action. On the far right, towards the top, you'll see a button "Set ICMP". It's only displayed when ICMP is the selected protocol. Clicking it will bring up the small menu on the left, "Rule Edit-ICMP Protocol Type". Scroll to the bottom of the list and check "all ICMP." Make sure everything in the list gets checked. This will block all ICMP. If your internet service starts dropping you for no apparent reason, you'll need to re-enable the ping (echo) rules. If all runs normal, then delete them after a few days.
I suggest you keep a copy of the original ruleset so you always have a point of reference. I also suggest that you save a copy of the existing ruleset before you edit rules. You can do this from the administration screen, miscellaneous tab, where you'll see the "load" and "save" buttons. I use the date of the ruleset for the filename. One more detail on this. If you use a password to control access to the ruleset and administrative functions, this also exports with the ruleset. If you change passwords, then import a different ruleset, the password in use at that time will apply. While the password will keep unauthorized users from playing with the ruleset or shutting Kerio down, having to type it in for every rule change will get old, fast. You might want to wait on that.
Let me know if I didn't cover your questions.
Regarding:

so many questions:-))

Not a problem. I'm having fun now.
Rick

Eagle,
I'm just the opposite. I stay up late and sleep late. Been on 2nd and 3rd shift too long.
I see I missed one of your questions regarding customizing a rule for an updatable application. I'm assuming that you're referring to apps like your AV, Ad-aware, etc.
Before I go any farther, I'd like to recommend another very useful tool that free for the downloading. It's called Sam Spade. Info and download links here. It's very useful for finding who IP addresses or ranges belong to and makes setting the IP ranges for firewall rules much easier. This program can do a lot more than this as you get to understand it more.
For this purpose, it's used like this. I'll use my AV, AntiVir for example. When I start the update, AntiVir tries to connect to 62.146.66.182. I enter this IP into Sam Spade and click on the "whois" function. Sam Spade returned this info. The address belongs to Datentechnik, the owning company. It also shows an IP range of 62.146.66.176 to 62.146.66.191 for this request. So instead of making the rule for the original single IP, you make it for the IP range named, which is likely the entire range used by that server.
 Most of these types of apps connect to either a single IP address or a small IP range. The bigger name AVs probably use a larger range or more than one. The updater for AntiVir for example can connect to any one of at least 8 update servers, each of which has its own IP range.
There's a couple ways you can approach this. One is to create a separate rule for each of those apps for each IP or IP range it uses. If you look at the connection requests for these apps, you'll likely see that each is always using the same port number and protocol, but one or more IP ranges. This is the tightest method, limiting each to only the exact IPs they use.
The second would be to use the "custom address group" section. You'll find this by going to the rulescreen and clicking on the miscellaneous tab.You can add the IP ranges for these type of apps to this area, then allow the requesting app to use the custom address group. Only do this with apps you know you can trust. As long as your using the "ask me first" setting, you will get an alert for any app you don't have a rule in place for for. If you do your updating manually, this works fine. If you have the updaters scheduled, you'll need rules in place. I don't let anything update itself so I don't put rules in for these. I make them ask every time. Use the method that matches your preference.
Rick

hi herbalist,
ok, i think im getting the hang of this fw, i also dont allow anything to update by itself, either my 98 or xp.
ill try Sam Spade and see how it goes. thank you for the link and ill get bck to you later tonight with some preliminary results. thanks for your indepth explaination on the above subjects. actually im not having ant trouble so far. i thought it would be a mind bender for this newbie but as i said, not bad at all. i am using the "ask me first" setting and im not getting anymore popups for the apps installed. of course im getting popups for those pesky probs from china and other places. i use Karens Who Is, so i check them out just to see who is probig my ports
ill swoop in  later with results

E